cluberti

I'm going to assume you have a crash .dmp file from a BSOD on your machine?

There's no algorithm per se, bugcheck codes are passed to the KeBugCheck(Ex) function in Windows when a process (or the system itself) needs to crash the machine due to failure of some sort. The bugcheck codes do mean something (as do the memory addresses or error codes they contain), and you can find a list of the bugcheck codes and descriptions in the help for windbg (found in the Debugging Tools for Windows package).

I've pruned this thread a bit and left only relevant info. @colore, please do provide the make/model of printer, and the printer driver being used on your XP system. Also, did this work in the past and just started failing recently, or has this printer always done this on this particular installation of XP?

It's likely a specific update causing the issue, and if so this will help.

Tracing requires a system with full ETL support, and you will not have full ETL support in WinPE as it's just meant for preinstallation of Windows and a recovery environment. There is some (mostly for disk and network tracing), but nothing equaling what is required to do a boot or shutdown (or even perf) tracing.

This thread's getting tired, time to put it to bed. If someone's complaint is that a relatively demeaning word happens to not pass the "swear word" muster by IPB standards (for whatever reason, honestly), then I'm happy. Yes, we could probably tweak it and save the cpu cycle, but it's more trouble than it's worth, considering it'll be broken again during the next upgrade. The server's CPU cycles are cheaper than my or xper's personal time, so cheap wins again .

It's hard to say if sandboxie is a part of it or not - the only thing I can say is that the prefetch was running at the time, so unless your removable drive is being used as a superfetch cache, I'm not sure what happened 100%. It could just be a timing issue you'll never see again, honestly - it's very hard to say.

I suggest you will probably find discussion around IcemanND's post, and not Hiren's - most of the software on a Hiren's boot CD are free, but it does contain some very obvious non-free software you need to own if you are going to use it legally - so even if you're using one of the (very good) freeware tools, you've still got a lot of non-legal stuff there. We generally frown on discussion of anything containing such software (even if not in use), and Hiren's is a pretty big target. Since you're new here, I don't expect you to be up on what goes on here, but I have to warn you about rule 1.a.

From the readme in the downloaded (link removed) zip file, emphasis mine: After reviewing the contents of the pack, while it would be fine on an actual OEM system, the installation of the WindSLIC bootloader (aka a variant of the "paradox crack" bootloader and SLIC pre-activation key method) on non-OEM systems to bypass activation is a rules violation (1.a ). Second, the pack includes .torrent links to download Windows ISOs themselves as well as links to downloading MS patches and hotfixes from a location other than Microsoft, which would also be a violation of forum rules (1.b ). Last but not least, it's also redistribution of Microsoft files originally found in the WAIK, which is also a violation of forum rules (1.b ). There are other things in here of questionable validity as well, but given this is already at three strikes, the user is banned and the download link removed. If you want to warez Windows on your own time, so be it - we are not the internet police. However, we do not allow discussions of or links to such things here, as posted VERY CLEARLY in the forum rules. [user untermensch banned].

No, but it would be consistent with poor development practices (and I would bet redistribution of IE binaries is probably not legal). I expect nothing less from Apple, honestly.

It probably states that he was tired or incapable (or both) of paying for hosting a fairly heavily-visited site along with the additional costs of serving binaries, and when he stopped supporting the project he also pulled the site to save cash (remember, no one was donating, so if it was running it was coming out of his pocket). I could be wrong, but I would wager I am not.

Yes, unless you have access to the webserver's disk itself, you're not going to see the PHP running on the back end, similar to how you aren't going to see the ASP.NET running on the back end of an aspx page.

I dunno, my empirical experience has been the opposite - all of the 3.5" WD external drives I've owned (I've owned 7, glutton for punishment) have been crap (and it's probably not the drives themselves, but the crappy enclosures they run in all day that seem to have airflow design as an afterthought) and died within the first year of ownership. They've all been warranty returns, but the fact I went through 3 in 9 months at one point was enough to swear me off of full-size external drives for good, and buy only laptop-size 2.5" HDDs and enclosures. I've had the same WD 80GB 2.5" external HDD for years, and I have another I purchased 2 years ago still going strong. Given WD use regular old 3.5" and 2.5" HDDs in the enclosures (I've opened enough to say with some authority), it seems that the designs of the larger 3.5" HDD enclosures leave something to be desired. Again, though, this is just my limited experience over the last 5 or so years specifically with external HDDs from WD.

Once you've sealed an image, it's sealed. You can't go back and re-do audit mode, and honestly, I'd consider rebuilding that image entirely at this point or just find another way to copy the profile.

The problem with a 0x7E bugcheck is that it's probably the most common bugcheck, and those numbers (and the data that was on the bugcheck blue screen) mean something - without them, all I can tell you is that you had a stop 0x7E bugcheck . If things were working before the storm and aren't afterwards, either the storm did do some electrical damage to the machine, or it's just a coincidence and the shutdown/reboot brought about something broken while the machine was last up that manifested itself after the reboot. Of course I'd be testing the memory and stress-testing the system itself to see if there really is any damage, as a machine that was on in an electrical storm without any sort of heavy-duty UPS+surge protection from the outlet(s) it was plugged into can be suspect. If the bugchecks continue, make note of the codes - if they start to go all over the place, it's more likely to be bad hardware (assuming you do a clean reinstall of course), but if they stay on stop 0x7E, then that would more likely be a driver issue (and a .dmp file generated from the crashes would help pinpoint which).

Explorer.exe actively seems to try to dissuade you from attaching a debugger on Vista and Win7, but I don't think it's that picky on Windows XP. What I would suggest you do would be to download UMPD 8.1, extract the .exe by running it (default location is C:\kktools, but you can change this if necessary), and then install the x86 version from setup.exe in the x86 folder you extracted (you may have to reboot for the install to finish - if you do, it'll prompt you to reboot after the install completes). Next, go into the Control Panel, open the new Process Dumper applet, and click the "New" button and type in "explorer.exe" (minus the quotes, of course) - click OK to create the rule. Next, click the "Rules" button and click "Use custom rules". Click the "All exceptions" box, click "Monitor process exit", select the "Complete" minidump type underneath, and then change the "Dump file folder" path to something other than %windir% (C:\TEMP is my usual go-to location). Click OK twice to set the rule in action, and reboot to see if you can recreate the problem (and thus .dmp files in C:\TEMP).

No, actually, it's not, and it requires usage of their program to see the memory as well. Is there any way you can get a dump of explorer crashing using Microsoft's tools? I don't care what the page says for this tool, the dump files generated by adplus/cdb.exe are much easier to actually look at in a debugger, and they create actual memory files that can be analyzed and inspected rather than just static log files with callstack and module info (anyone can create those, and that's precisely why they're almost completely useless). Of note, I did say they were *almost* completely useless - case in point, I did manage to get the file you uploaded to open, and while it really is almost useless data, I did see that explorer.exe is loading ieframe.dll (an IE binary) from C:\Program Files\Quicktime rather than C:\Program Files\Internet Explorer - seems kinda odd, no?

It almost seems like there's some weird play here between Sandboxie, the NTFS.sys filesystem driver, and the fileinfo.sys filter driver (responsible for doing prefetch and superfetch/readyboost). // Thread at the time of the crash on CPU0: 0: kd> !thread THREAD fffffa80018d3b60 Cid 0004.0018 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80018bf040 Image: System Attached Process N/A Image: N/A Wait Start TickCount 16652232 Ticks: 0 Context Switch Count 425948 UserTime 00:00:00.000 KernelTime 00:00:05.296 Win32 Start Address nt!ExpWorkerThread (0xfffff80002c88050) Stack Init fffff8800318fdb0 Current fffff8800318f9f0 Base fffff88003190000 Limit fffff8800318a000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0318e8e8 fffff880`0125d3d8 : 00000000`00000024 00000000`001904fb fffff880`0318f8d8 fffff880`0318f130 : nt!KeBugCheckEx fffff880`0318e8f0 fffff880`01331f80 : fffff880`0128dfc8 fffff880`0318fbe0 fffff880`0318fbe0 fffffa80`01fb8000 : Ntfs! ?? ::FNODOBFM::`string'+0x2cc9 fffff880`0318e930 fffff800`02ca94dc : 00000000`3966744e 00000000`00000000 00000000`00000000 00000000`00000004 : Ntfs! ?? ::NNGAKEGL::`string'+0x7d3d fffff880`0318e980 fffff800`02ca0bed : fffff880`0128dfbc fffff880`0318fbe0 00000000`00000000 fffff880`0123c000 : nt!_C_specific_handler+0x8c fffff880`0318e9f0 fffff800`02ca8250 : fffff880`0128dfbc fffff880`0318ea68 fffff880`0318f8d8 fffff880`0123c000 : nt!RtlpExecuteHandlerForException+0xd fffff880`0318ea20 fffff800`02cb51b5 : fffff880`0318f8d8 fffff880`0318f130 fffff880`00000000 fffff880`0318fc38 : nt!RtlDispatchException+0x410 fffff880`0318f100 fffff800`02c7a542 : fffff880`0318f8d8 fffffa80`01cdd910 fffff880`0318f980 fffff8a0`08db3b40 : nt!KiDispatchException+0x135 fffff880`0318f7a0 fffff800`02c78e4a : 00010000`00005f1c fffff880`012d298e fffff8a0`005f8e00 fffffa80`02568180 : nt!KiExceptionDispatch+0xc2 fffff880`0318f980 fffff880`012e66a7 : fffffa80`01cdd910 fffff800`02e1e5a0 fffff8a0`08db3b40 00000000`00000009 : nt!KiGeneralProtectionFault+0x10a (TrapFrame @ fffff880`0318f980) fffff880`0318fb10 fffff880`012c038f : fffffa80`01cdd910 fffff8a0`08db3c70 fffff8a0`08db3b40 fffffa80`02568180 : Ntfs!NtfsCommonClose+0x1e7 fffff880`0318fbe0 fffff800`02c88161 : 00000000`00000000 fffff880`012c0200 fffff800`02e80101 00000000`0000000d : Ntfs!NtfsFspClose+0x15f fffff880`0318fcb0 fffff800`02f1e166 : 00000000`00000000 fffffa80`018d3b60 00000000`00000080 fffffa80`018bf040 : nt!ExpWorkerThread+0x111 fffff880`0318fd40 fffff800`02c59486 : fffff880`009e6180 fffffa80`018d3b60 fffff880`009f0f40 00000000`00000000 : nt!PspSystemThreadStartup+0x5a fffff880`0318fd80 00000000`00000000 : fffff880`03190000 fffff880`0318a000 fffff880`0318f9f0 00000000`00000000 : nt!KxStartSystemThread+0x16 // Looks like both CPUs could have caused this crash: 0: kd> !running -it System Processors: (0000000000000003) Idle Processors: (0000000000000000) (0000000000000000) (0000000000000000) (0000000000000000) Prcbs Current Next 0 fffff80002df3e80 fffffa80018d3b60 ................ *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site fffff880`0318fb10 fffff880`012c038f Ntfs!NtfsCommonClose+0x1e7 fffff880`0318fbe0 fffff800`02c88161 Ntfs!NtfsFspClose+0x15f fffff880`0318fcb0 fffff800`02f1e166 nt!ExpWorkerThread+0x111 fffff880`0318fd40 fffff800`02c59486 nt!PspSystemThreadStartup+0x5a fffff880`0318fd80 00000000`00000000 nt!KxStartSystemThread+0x16 1 fffff880009e6180 fffffa8001f40b60 ................ Child-SP RetAddr Call Site fffff880`0318fb10 fffff880`012c038f Ntfs!NtfsCommonClose+0x1e7 fffff880`0318fbe0 fffff800`02c88161 Ntfs!NtfsFspClose+0x15f fffff880`0318fcb0 fffff800`02f1e166 nt!ExpWorkerThread+0x111 fffff880`0318fd40 fffff800`02c59486 nt!PspSystemThreadStartup+0x5a fffff880`0318fd80 00000000`00000000 nt!KxStartSystemThread+0x16 // Looking at system info to make sure this is a real dual-core box: 0: kd> !sysinfo machineid Machine ID Information [From Smbios 2.2, DMIVersion 34, Size=1217] BiosVendor = Phoenix Technologies, LTD BiosVersion = 6.00 PG BiosReleaseDate = 04/06/2006 SystemManufacturer = SystemProductName = SystemVersion = BaseBoardManufacturer = DFI Corp,LTD BaseBoardProduct = LP NF4 Series BaseBoardVersion = 1.0 0: kd> !sysinfo cpuinfo [CPU Information] ~MHz = REG_DWORD 2400 Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0 Identifier = REG_SZ AMD64 Family 15 Model 43 Stepping 1 ProcessorNameString = REG_SZ AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ VendorIdentifier = REG_SZ AuthenticAMD // File System filters loaded that would be in play if ntfs.sys is performing FCB operations: 0: kd> !filters Filter List: fffffa8004e73b70 "Frame 1" FLT_FILTER: fffffa8004e87010 "luafv" "135000" FLT_INSTANCE: fffffa8004e8f010 "luafv" "135000" FLT_FILTER: fffffa8004d342b0 "SbieDrv" "86900" FLT_INSTANCE: fffffa8004d4f600 "SbieDrv Instance" "86900" FLT_INSTANCE: fffffa8004d4fb50 "SbieDrv Instance" "86900" FLT_INSTANCE: fffffa80053af010 "SbieDrv Instance" "86900" FLT_INSTANCE: fffffa8005052cf0 "SbieDrv Instance" "86900" FLT_INSTANCE: fffffa8004e01cf0 "SbieDrv Instance" "86900" FLT_INSTANCE: fffffa8001e85670 "SbieDrv Instance" "86900" Filter List: fffffa80022a26e0 "Frame 0" FLT_FILTER: fffffa80022a3be0 "FileInfo" "45000" FLT_INSTANCE: fffffa8002434010 "FileInfo" "45000" FLT_INSTANCE: fffffa80024c9bb0 "FileInfo" "45000" FLT_INSTANCE: fffffa8002643bb0 "FileInfo" "45000" FLT_INSTANCE: fffffa80053afa00 "FileInfo" "45000" FLT_INSTANCE: fffffa80053d5bb0 "FileInfo" "45000" FLT_INSTANCE: fffffa8001e91bb0 "FileInfo" "45000" // Looks like you just installed the very latest Sandboxie driver: 0: kd> lmvm SbieDrv start end module name fffff880`052a7000 fffff880`052cd000 SbieDrv (deferred) Image path: \??\C:\Program Files\Sandboxie\SbieDrv.sys Image name: SbieDrv.sys Timestamp: Sun Jul 04 05:50:33 2010 (4C305969) CheckSum: 0002BC56 ImageSize: 00026000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 // After walking pool and memory, I came across this being accessed at the time: 0: kd> dc fffffa80023914b0 fffffa80`023914b0 053a2540 fffffa80 04bd6e30 fffffa80 @%:.....0n...... fffffa80`023914c0 04bf23a0 fffffa80 00000000 00000000 .#.............. fffffa80`023914d0 00000000 fffffa80 00060001 00000000 ................ fffffa80`023914e0 023914e0 fffffa80 023914e0 fffffa80 ..9.......9..... fffffa80`023914f0 00000000 00000000 023914f8 fffffa80 ..........9..... fffffa80`02391500 023914f8 fffffa80 03cd7578 fffff880 ..9.....xu...... fffffa80`02391510 00170006 7866744e 00000000 500066e0 ....Ntfx.....f.P fffffa80`02391520 050296e0 fffffa80 01a276a0 fffffa80 .........v...... 0: kd> !pool fffffa8002391510 2 Pool page fffffa8002391510 region is Nonpaged pool *fffffa80023914a0 size: 1e0 previous size: 80 (Free) *FIPc Pooltag FIPc : FileInfo FS-filter Prefetch Context, Binary : fileinfo.sys 0: kd> lmvm fileinfo start end module name fffff880`010ae000 fffff880`010c2000 fileinfo (pdb symbols) d:\symbols\fileinfo.pdb\99DAA03EB2014EFE91E56C3EF9ADE0F01\fileinfo.pdb Loaded symbol image file: fileinfo.sys Image path: \SystemRoot\system32\drivers\fileinfo.sys Image name: fileinfo.sys Timestamp: Mon Jul 13 19:34:25 2009 (4A5BC481) CheckSum: 00015644 ImageSize: 00014000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Given this info, it almost looks like there's some confusion here between NTFS.sys decrementing the FCB to remove it from the lock list, but we crashed before the IRP could be created. I also see the prefetch filter involved, so I'm wondering if something on the system is overwriting memory (for what it's worth, NTFS.sys tried to write to 0xFFFFFFFFFFFFFFFF, which of course is going to fail) because this should really never happen. Someone (specifically, likely some filter or system security driver) is working behind the scenes on IRP generation. Given what Sandboxie does, I'm quite curious as to what the system would do without that installed...

If you open the Sound control panel, which device is listed as the Default playback device?

Yes, although that sounds like a kernel-only dump. We'll see what we can do - upload it somewhere after zipping it and we'll have a look.

If you've got a .dmp of explorer.exe crashing, uploading it to a web hoster (after zipping it, of course) would be useful, yes.

Some insight into your hardware to tell you if in fact the drivers are on the disc or not would be most helpful as well . Welcome to MSFN!

I feel your pain. As someone who sits in hiring sessions with recent college grads for development positions, the forced usage of Java is really putting these kids at a disadvantage in the working world. Java's good at some things, but it teaches some really bad habits and is poor at getting kids to learn pointers and functional programming, both of which they're going to need to learn to use languages other than Java. There's no way for me to tell if a potential hire is a good candidate or not when they want to do everything in Java, and the fact that we're mostly a Windows shop also means that a lack of knowledge of C, C++, and .NET languages is a drawback as well. Back when I went to school, we had to learn C, pointers, recursive programming, etc - it was difficult on purpose, because it taught you how to be a GOOD developer, not just how to develop. I wish more schools would try harder to make their grads more qualified for what's out there in the real world, but I guess class sizes and budgets are the main concern, not necessarily the education they're giving (or, in fact, NOT giving) those students.I guess LIT has gone to Java ... boo . /rant I'm off my soapbox... for now.

You might want to read this.

@xinehp, welcome to MSFN - there's always going to be multiple ways to write a script, and multiple languages or script environments/parsers to do it in. And it's also worth noting that Java and JavaScript (while both contain the word java) are in no way related. JavaScript, VBScript, PowerShell, and .cmd/batch file execution are all native to Windows 7 / Server 2008 R2. It appears there are multiple scripts in this thread, in multiple parsers and languages which will achieve what you would like to achieve. Let us know which one (or ones) work for you, and remember that using a specific language or parser to write a script is only easy because you know how to use it. I must reiterate that while you can use a .cmd in Windows 7, you should consider learning things like VBscript, Javascript, and PowerShell for administrative scripts simply because they're far more powerful, and they are all (frankly) very easy to use once you learn how to write for them.